Cookie law won't bite for a year

British businesses have one year to make sure their websites comply with updated rules governing the use of cookies, the UK's data protection authority has warned.

Information commissioner Christopher Graham has said businesses will have one year before they have to comply with a new EU law on cookies. Photo credit: Jack Putter/Wikipedia

The amendments to the UK Privacy and Electronic Communications Regulations (PECR), which come into force on Thursday, require companies to gain consent before placing the tracking programs on users' computers. The rules have been updated in line with the EU Privacy and Electronic Communications Directive.

However, the cookie consent laws will not be enforced immediately, information commissioner Christopher Graham said on Wednesday.

"We're giving businesses and organisations up to one year to get their house in order," Graham said in a statement. "This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules."

If the Information Commissioner's Office (ICO) receives a complaint about cookies and lack of consent before 26 May, 2012, it will be enough for the company to demonstrate it is taking steps towards complying with the law to avoid enforcement action, a spokesman for the ICO told ZDNet UK.

"We're expecting organisations to look at the law on using cookies on a website and how they can work towards compliance," the spokesman said. "Websites using a large amount of cookies may take a lot longer [to comply]."

Browser settings

Browser makers are working on settings that imply consent to cookies, but these are not yet technically feasible, according to the ICO. "Endless pop-ups" are also not the best option, as these would "ruin some users' browsing experience", it said in its statement.

The data protection agency has changed its website in line with the updated laws, and it now gives users the option to disable cookies if they wish. However, the trade-off is that some ICO services, such as the online notification form for data controllers, will not be available online if tracking is turned off.

The ICO published its PECR enforcement guidance for organisations (PDF) on Wednesday. The amended PECR rules include tougher sanctions against spammers and grant the data protection authority the power to impose fines of up to £500,000 for unsolicited emails and texts. Enforcement of all the new measures, apart from the cookie law, begins immediately.

The Department for Culture, Media and Sport (DCMS) stressed there should be "no immediate changes" to how UK websites operate as a result of the new EU rules.

"It will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a 'phased-in' approach is right," communications minister Ed Vaizey said in a statement.

On Tuesday, Vaizey sent an open letter to UK businesses (PDF) to reassure them that the government's approach to implementing the updated EU Privacy and Electronic Communications Directive was "light touch" and "business friendly".